From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, David Ahern <dsahern@gmail.com>,
syzbot+a61aa19b0c14c8770bd9@syzkaller.appspotmail.com,
Nikolay Aleksandrov <nikolay@cumulusnetworks.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.7 03/15] net: nexthop: dont allow empty NHA_GROUP
Date: Wed, 26 Aug 2020 14:02:31 +0200 [thread overview]
Message-ID: <20200826114849.468079562@linuxfoundation.org> (raw)
In-Reply-To: <20200826114849.295321031@linuxfoundation.org>
From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
[ Upstream commit eeaac3634ee0e3f35548be35275efeca888e9b23 ]
Currently the nexthop code will use an empty NHA_GROUP attribute, but it
requires at least 1 entry in order to function properly. Otherwise we
end up derefencing null or random pointers all over the place due to not
having any nh_grp_entry members allocated, nexthop code relies on having at
least the first member present. Empty NHA_GROUP doesn't make any sense so
just disallow it.
Also add a WARN_ON for any future users of nexthop_create_group().
BUG: kernel NULL pointer dereference, address: 0000000000000080
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] SMP
CPU: 0 PID: 558 Comm: ip Not tainted 5.9.0-rc1+ #93
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-2.fc32 04/01/2014
RIP: 0010:fib_check_nexthop+0x4a/0xaa
Code: 0f 84 83 00 00 00 48 c7 02 80 03 f7 81 c3 40 80 fe fe 75 12 b8 ea ff ff ff 48 85 d2 74 6b 48 c7 02 40 03 f7 81 c3 48 8b 40 10 <48> 8b 80 80 00 00 00 eb 36 80 78 1a 00 74 12 b8 ea ff ff ff 48 85
RSP: 0018:ffff88807983ba00 EFLAGS: 00010213
RAX: 0000000000000000 RBX: ffff88807983bc00 RCX: 0000000000000000
RDX: ffff88807983bc00 RSI: 0000000000000000 RDI: ffff88807bdd0a80
RBP: ffff88807983baf8 R08: 0000000000000dc0 R09: 000000000000040a
R10: 0000000000000000 R11: ffff88807bdd0ae8 R12: 0000000000000000
R13: 0000000000000000 R14: ffff88807bea3100 R15: 0000000000000001
FS: 00007f10db393700(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000080 CR3: 000000007bd0f004 CR4: 00000000003706f0
Call Trace:
fib_create_info+0x64d/0xaf7
fib_table_insert+0xf6/0x581
? __vma_adjust+0x3b6/0x4d4
inet_rtm_newroute+0x56/0x70
rtnetlink_rcv_msg+0x1e3/0x20d
? rtnl_calcit.isra.0+0xb8/0xb8
netlink_rcv_skb+0x5b/0xac
netlink_unicast+0xfa/0x17b
netlink_sendmsg+0x334/0x353
sock_sendmsg_nosec+0xf/0x3f
____sys_sendmsg+0x1a0/0x1fc
? copy_msghdr_from_user+0x4c/0x61
___sys_sendmsg+0x63/0x84
? handle_mm_fault+0xa39/0x11b5
? sockfd_lookup_light+0x72/0x9a
__sys_sendmsg+0x50/0x6e
do_syscall_64+0x54/0xbe
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f10dacc0bb7
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb cd 66 0f 1f 44 00 00 8b 05 9a 4b 2b 00 85 c0 75 2e 48 63 ff 48 63 d2 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 8b 15 b1 f2 2a 00 f7 d8 64 89 02 48
RSP: 002b:00007ffcbe628bf8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007ffcbe628f80 RCX: 00007f10dacc0bb7
RDX: 0000000000000000 RSI: 00007ffcbe628c60 RDI: 0000000000000003
RBP: 000000005f41099c R08: 0000000000000001 R09: 0000000000000008
R10: 00000000000005e9 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007ffcbe628d70 R15: 0000563a86c6e440
Modules linked in:
CR2: 0000000000000080
CC: David Ahern <dsahern@gmail.com>
Fixes: 430a049190de ("nexthop: Add support for nexthop groups")
Reported-by: syzbot+a61aa19b0c14c8770bd9@syzkaller.appspotmail.com
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/nexthop.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/ipv4/nexthop.c
+++ b/net/ipv4/nexthop.c
@@ -402,7 +402,7 @@ static int nh_check_attr_group(struct ne
struct nexthop_grp *nhg;
unsigned int i, j;
- if (len & (sizeof(struct nexthop_grp) - 1)) {
+ if (!len || len & (sizeof(struct nexthop_grp) - 1)) {
NL_SET_ERR_MSG(extack,
"Invalid length for nexthop group attribute");
return -EINVAL;
@@ -1104,6 +1104,9 @@ static struct nexthop *nexthop_create_gr
struct nexthop *nh;
int i;
+ if (WARN_ON(!num_nh))
+ return ERR_PTR(-EINVAL);
+
nh = nexthop_alloc();
if (!nh)
return ERR_PTR(-ENOMEM);
next prev parent reply other threads:[~2020-08-26 12:07 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-26 12:02 [PATCH 5.7 00/15] 5.7.19-rc1 review Greg Kroah-Hartman
2020-08-26 12:02 ` [PATCH 5.7 01/15] gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY Greg Kroah-Hartman
2020-08-26 12:02 ` [PATCH 5.7 02/15] net: Fix potential wrong skb->protocol in skb_vlan_untag() Greg Kroah-Hartman
2020-08-26 12:02 ` Greg Kroah-Hartman [this message]
2020-08-26 12:02 ` [PATCH 5.7 04/15] net: qrtr: fix usage of idr in port assignment to socket Greg Kroah-Hartman
2020-08-26 12:02 ` [PATCH 5.7 05/15] net/sched: act_ct: Fix skb double-free in tcf_ct_handle_fragments() error flow Greg Kroah-Hartman
2020-08-26 12:02 ` [PATCH 5.7 06/15] net: sctp: Fix negotiation of the number of data streams Greg Kroah-Hartman
2020-08-26 12:02 ` [PATCH 5.7 07/15] net/smc: Prevent kernel-infoleak in __smc_diag_dump() Greg Kroah-Hartman
2020-08-26 12:02 ` [PATCH 5.7 08/15] tipc: call rcu_read_lock() in tipc_aead_encrypt_done() Greg Kroah-Hartman
2020-08-26 12:02 ` [PATCH 5.7 09/15] tipc: fix uninit skb->data in tipc_nl_compat_dumpit() Greg Kroah-Hartman
2020-08-26 12:02 ` [PATCH 5.7 10/15] net: ena: Make missed_tx stat incremental Greg Kroah-Hartman
2020-08-26 12:02 ` [PATCH 5.7 11/15] ethtool: Fix preserving of wanted feature bits in netlink interface Greg Kroah-Hartman
2020-08-26 12:02 ` [PATCH 5.7 12/15] ethtool: Account for hw_features " Greg Kroah-Hartman
2020-08-26 12:02 ` [PATCH 5.7 13/15] ethtool: Dont omit the netlink reply if no features were changed Greg Kroah-Hartman
2020-08-26 12:02 ` [PATCH 5.7 14/15] powerpc/64s: Dont init FSCR_DSCR in __init_FSCR() Greg Kroah-Hartman
2020-08-26 12:02 ` [PATCH 5.7 15/15] binfmt_flat: revert "binfmt_flat: dont offset the data start" Greg Kroah-Hartman
2020-08-26 14:49 ` [PATCH 5.7 00/15] 5.7.19-rc1 review David K. Kahurani
2020-08-26 14:53 ` Greg KH
2020-08-26 16:03 ` Jon Hunter
2020-08-26 20:48 ` Guenter Roeck
2020-08-27 8:09 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200826114849.468079562@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=dsahern@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nikolay@cumulusnetworks.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+a61aa19b0c14c8770bd9@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.